SlideShare uma empresa Scribd logo

Marcus Ranum on Bad Idea Zombies

David Strom
David Strom

Security disasters can emanate from many places but often the main contributor is the disconnect that exists between CIO’s (and executives in general) and the technical staff. This disconnect can give life to the scariest undead creature in the business world: <b>the bad idea zombie.

TecnologiaNegócios
1 de 25
Baixar para ler offline
Anatomy of The Security Disaster Marcus J. Ranum (mjr@tenablesecurity.com) Tenable Network Security, Inc.
The Security Disaster • What is the problem? – Dangerous stuff is being done by people who think it is being done safely – Their incomprehension of the danger encourages increased exposure (the “it hasn’t happened yet” effect) • We are at the point where cyberterror starts to become a legitimate fear
The Future • “It's a problem for security people because their career depends on their ability to enable the business securely. We have had six years of "regulation-based job security" for the whiners. That era is coming to an end.” Alan Paller, SANS
The Security Disaster • In other words, the problem is going to get worse • What is scary is the existing scope of the problem is already very broad; the current state of affairs has been gestating for 10+ years
What Will We Do? (that will not work) • Spend our way out of the hole – Cost of doing it right exceeds cost of re- doing it – Currently an installed base of doing it wrong – Inertia (financial and technological) ...in other words: we’re already so deep into this that physics has taken over
Do We Learn? • Do pro-active measures actually carry weight? • Disaster-and-patch is the current strategy
Time Line of a Typical Disaster 1) Inception of bad idea 2) Identification as bad idea 3) Negotiation 4) Search for Plan B 5) Failure to re-adjust expectations 6) Initial failure conditions are noticed 7) Denial or kludging 8) Failure 2.2) Memos generated! 6.2) Memos generated! Opportunity for cover-up or conspiracy
Time Line of a Typical Disaster (cont) 9) Hunt for the guilty 10) Finger Pointing 11) Memo Archaeology 12) Slaughter of the Innocents 13) Failure to learn REPEAT Memos from 2.2 and 6.2 resurface!
Failure of Risk Management • The premise of the “risk management” approach to security is that good thinking happens at stage #3 – In fact, what happens is that the good thinking is largely undone by the time you get to stage #7 • Every organization that is performing “risk management” is currently in denial
Failure of Communication • The premise of the “improved communication” approach to security is that good thinking happens at stage #2, #4, #6, and #7 – That’s simply expecting too much good thinking to happen
Failure of Education • The premise of the “educate the manager, educate the business” approach to security is the same as the “communication” idea except for the assumption that the right thing is just going to happen organically – That’s utter fantasy
Failure of Legislation • The legislative approach (what is being most widely attempted right now) relies on publicly identifying organizations that failed at stage #8 and hoping that organizations that are already at stage #7 are going to magically wind back the clock to stage #3 – Will always be seen as prohibitively expensive
Economic Models • A popular fad nowadays is “economic models” of security – Essentially the attempt to correctly place security in the value chain – This almost always results in security being given a high presumed value and low cost (a nice way of saying, “highly fudged”) • Even so, security is a “market failure”
Epic Failures • When failures occur, someone has to take the blame – Standard failure mode is management states “I take full responsibility” • …but someone else takes the fall • In US DOD gov’t space that is virtually always a contractor (because it’s only contractors that actually do anything) But let’s look closer at what’s happening...
The Middle Layer • According to Alan Paller: – Security has to enable business – In cases where failures occur it is discovered that technologists lied about how safe systems were • Reveals profound disconnect between what management thinks, and reality – This should not be news to most of you
The Middle Layer (cont) • My observation in return was that: – The technologists told the truth; it’s simply that management didn’t hear the truth – Management remembers what it asked for not what it heard in response – Result is a massive disconnect between management expectations and ground reality
The “Plan A” “Plan B” Effect • Management asks for “(something dumb) with perfect security” – Technology answers “it can’t be done” • Management then asks for “Plan B” – Continues shopping the idea until someone cooks up something that will mostly work
Expectation Level • The problem is that the expectation level does not get reset in this process – Management simply continues to forge ahead with the idea that “perfect security” remains part of the equation • Meanwhile there are memos from technologists that say (variously) “We can do it, but there are substantial risks…” (2.2 and 6.2)
The Space Shuttle Disasters • The quintessence of this kind of failure is described by Richard Feynman in his minority report about the Challenger disaster – Feynman was dead when the Columbia broke up, but the failure paradigm in the Columbia disaster was exactly the same • We consistently see disconnect between expectation and reality
Breaking the Cycle • What can we do? – Ensure maximum clarity at all parts of stage #2, #3, #4, #5 – Pre-allocate blame at stage #7 and #8 • Technical / responsible individuals must make sure to document that they issued warnings in stage #8 – And, if you actually want things to get better, the warnings must get high enough
Breaking the Cycle (summary) • Key phrases: – “We must re-assess the decision to…” – “The risk estimate of regarding (blank) is optimistic…” – “Continuing with (blank) represents additional investment in a risky decision…”
A Grim Future • The behaviors that I am describing are fundamental behaviors that are ingrained in human optimism – If I am correct, virtually all of the work that is currently being done to bring systems into compliance with regulations will represent wasted effort – Web2.0 rapid adoption includes the next tidal wave of bad ideas, and is already upon us
Understanding Failure as Complexity Increases • I have already encountered two forensic/response cases in which the client had no interest in actually figuring out what went wrong they simply wanted to “fix it” • Models of distributing and sharing risk make no sense when risk is “pick an number between 0% and 100%”
Summary • After 20 years working in information security I am convinced that the situation is not only beyond repair; it is getting worse • Have a nice day!

Recomendados

Brighttalk outage insurance- what you need to know - final
Brighttalk outage insurance- what you need to know - finalBrighttalk outage insurance- what you need to know - final
Brighttalk outage insurance- what you need to know - finalAndrew White
 
Brighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalBrighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalAndrew White
 
Brighttalk reason 114 for learning math - final
Brighttalk reason 114 for learning math - finalBrighttalk reason 114 for learning math - final
Brighttalk reason 114 for learning math - finalAndrew White
 
Carrot stick-consequences-app secdc-2010
Carrot stick-consequences-app secdc-2010Carrot stick-consequences-app secdc-2010
Carrot stick-consequences-app secdc-2010orcus666
 
Bright talk running a cloud - final
Bright talk running a cloud - finalBright talk running a cloud - final
Bright talk running a cloud - finalAndrew White
 
Creating a Technology Disaster Plan
Creating a Technology Disaster PlanCreating a Technology Disaster Plan
Creating a Technology Disaster PlanLegal Services National Technology Assistance Project (LSNTAP)
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceEvan Francen
 

Recomendados

Brighttalk outage insurance- what you need to know - final
Brighttalk outage insurance- what you need to know - finalBrighttalk outage insurance- what you need to know - final
Brighttalk outage insurance- what you need to know - finalAndrew White
 
Brighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalBrighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalAndrew White
 
Brighttalk reason 114 for learning math - final
Brighttalk reason 114 for learning math - finalBrighttalk reason 114 for learning math - final
Brighttalk reason 114 for learning math - finalAndrew White
 
Carrot stick-consequences-app secdc-2010
Carrot stick-consequences-app secdc-2010Carrot stick-consequences-app secdc-2010
Carrot stick-consequences-app secdc-2010orcus666
 
Bright talk running a cloud - final
Bright talk running a cloud - finalBright talk running a cloud - final
Bright talk running a cloud - finalAndrew White
 
Creating a Technology Disaster Plan
Creating a Technology Disaster PlanCreating a Technology Disaster Plan
Creating a Technology Disaster PlanLegal Services National Technology Assistance Project (LSNTAP)
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceEvan Francen
 
Big Data Berlin – Automating Decisions is the Next Frontier for Big Data
Big Data Berlin – Automating Decisions is the Next Frontier for Big DataBig Data Berlin – Automating Decisions is the Next Frontier for Big Data
Big Data Berlin – Automating Decisions is the Next Frontier for Big DataLars Trieloff
 
Brighttalk getting back on track - final
Brighttalk getting back on track - finalBrighttalk getting back on track - final
Brighttalk getting back on track - finalAndrew White
 
Covid 19: Understanding the context using systems thinking techniques webinar...
Covid 19: Understanding the context using systems thinking techniques webinar...Covid 19: Understanding the context using systems thinking techniques webinar...
Covid 19: Understanding the context using systems thinking techniques webinar...Association for Project Management
 
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...Lars Trieloff
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013Adrian Wright
 
Systems Concepts for Agile Practitioners
Systems Concepts for Agile PractitionersSystems Concepts for Agile Practitioners
Systems Concepts for Agile PractitionersRoger Brown
 
Become an Exponential Organization, Change the World Faster
Become an Exponential Organization, Change the World FasterBecome an Exponential Organization, Change the World Faster
Become an Exponential Organization, Change the World FasterGary A. Bolles
 
Cybersecurity and liability your david willson
Cybersecurity and liability your david willsonCybersecurity and liability your david willson
Cybersecurity and liability your david willsonDavid Willson, Attorney, CISSP, Security +
 
The big-data revolution in healthcare
The big-data revolution in healthcareThe big-data revolution in healthcare
The big-data revolution in healthcareVaibhav Srivastav
 
Timelines and Prediction of Conscious Machines by Emerj AI Research
Timelines and Prediction of Conscious Machines by Emerj AI Research Timelines and Prediction of Conscious Machines by Emerj AI Research
Timelines and Prediction of Conscious Machines by Emerj AI Research Emerj
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...Dana Gardner
 
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Jason Hong
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Dana Gardner
 
Tech Tips 2 Defeat Distraction NAG 2020
Tech Tips 2 Defeat Distraction NAG 2020Tech Tips 2 Defeat Distraction NAG 2020
Tech Tips 2 Defeat Distraction NAG 2020Brian Housand
 
How To Develop A Company Disaster Plan
How To Develop A Company Disaster PlanHow To Develop A Company Disaster Plan
How To Develop A Company Disaster PlanJennifer H. Elder
 
Evolving it security Threats and Solutions
Evolving it security Threats and SolutionsEvolving it security Threats and Solutions
Evolving it security Threats and SolutionsUniversity of Hertfordshire
 
COMPISSUES08 - Credibility of Technology
COMPISSUES08 - Credibility of TechnologyCOMPISSUES08 - Credibility of Technology
COMPISSUES08 - Credibility of TechnologyMichael Heron
 
Challenges of remote working in P3M – identifying, understanding and options ...
Challenges of remote working in P3M – identifying, understanding and options ...Challenges of remote working in P3M – identifying, understanding and options ...
Challenges of remote working in P3M – identifying, understanding and options ...Association for Project Management
 
Lean Security
Lean SecurityLean Security
Lean SecuritySeniorStoryteller
 
Automated decision making with predictive applications – Big Data Amsterdam
Automated decision making with predictive applications – Big Data AmsterdamAutomated decision making with predictive applications – Big Data Amsterdam
Automated decision making with predictive applications – Big Data AmsterdamLars Trieloff
 
Top 12 Threats to Enterprise
Top 12 Threats to EnterpriseTop 12 Threats to Enterprise
Top 12 Threats to EnterpriseArgyle Executive Forum
 
The BIG ONE 2.0 - HouSecCon
The BIG ONE 2.0 - HouSecConThe BIG ONE 2.0 - HouSecCon
The BIG ONE 2.0 - HouSecConMichael Gough
 

Mais conteúdo relacionado

Mais procurados

Big Data Berlin – Automating Decisions is the Next Frontier for Big Data
Big Data Berlin – Automating Decisions is the Next Frontier for Big DataBig Data Berlin – Automating Decisions is the Next Frontier for Big Data
Big Data Berlin – Automating Decisions is the Next Frontier for Big DataLars Trieloff
 
Brighttalk getting back on track - final
Brighttalk getting back on track - finalBrighttalk getting back on track - final
Brighttalk getting back on track - finalAndrew White
 
Covid 19: Understanding the context using systems thinking techniques webinar...
Covid 19: Understanding the context using systems thinking techniques webinar...Covid 19: Understanding the context using systems thinking techniques webinar...
Covid 19: Understanding the context using systems thinking techniques webinar...Association for Project Management
 
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...Lars Trieloff
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013Adrian Wright
 
Systems Concepts for Agile Practitioners
Systems Concepts for Agile PractitionersSystems Concepts for Agile Practitioners
Systems Concepts for Agile PractitionersRoger Brown
 
Become an Exponential Organization, Change the World Faster
Become an Exponential Organization, Change the World FasterBecome an Exponential Organization, Change the World Faster
Become an Exponential Organization, Change the World FasterGary A. Bolles
 
The big-data revolution in healthcare
The big-data revolution in healthcareThe big-data revolution in healthcare
The big-data revolution in healthcareVaibhav Srivastav
 
Timelines and Prediction of Conscious Machines by Emerj AI Research
Timelines and Prediction of Conscious Machines by Emerj AI Research Timelines and Prediction of Conscious Machines by Emerj AI Research
Timelines and Prediction of Conscious Machines by Emerj AI Research Emerj
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...Dana Gardner
 
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Jason Hong
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Dana Gardner
 
Tech Tips 2 Defeat Distraction NAG 2020
Tech Tips 2 Defeat Distraction NAG 2020Tech Tips 2 Defeat Distraction NAG 2020
Tech Tips 2 Defeat Distraction NAG 2020Brian Housand
 
How To Develop A Company Disaster Plan
How To Develop A Company Disaster PlanHow To Develop A Company Disaster Plan
How To Develop A Company Disaster PlanJennifer H. Elder
 
COMPISSUES08 - Credibility of Technology
COMPISSUES08 - Credibility of TechnologyCOMPISSUES08 - Credibility of Technology
COMPISSUES08 - Credibility of TechnologyMichael Heron
 
Challenges of remote working in P3M – identifying, understanding and options ...
Challenges of remote working in P3M – identifying, understanding and options ...Challenges of remote working in P3M – identifying, understanding and options ...
Challenges of remote working in P3M – identifying, understanding and options ...Association for Project Management
 
Automated decision making with predictive applications – Big Data Amsterdam
Automated decision making with predictive applications – Big Data AmsterdamAutomated decision making with predictive applications – Big Data Amsterdam
Automated decision making with predictive applications – Big Data AmsterdamLars Trieloff
 

Mais procurados (20)

Big Data Berlin – Automating Decisions is the Next Frontier for Big Data
Big Data Berlin – Automating Decisions is the Next Frontier for Big DataBig Data Berlin – Automating Decisions is the Next Frontier for Big Data
Big Data Berlin – Automating Decisions is the Next Frontier for Big Data
 
Brighttalk getting back on track - final
Brighttalk getting back on track - finalBrighttalk getting back on track - final
Brighttalk getting back on track - final
 
Covid 19: Understanding the context using systems thinking techniques webinar...
Covid 19: Understanding the context using systems thinking techniques webinar...Covid 19: Understanding the context using systems thinking techniques webinar...
Covid 19: Understanding the context using systems thinking techniques webinar...
 
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
 
Systems Concepts for Agile Practitioners
Systems Concepts for Agile PractitionersSystems Concepts for Agile Practitioners
Systems Concepts for Agile Practitioners
 
Become an Exponential Organization, Change the World Faster
Become an Exponential Organization, Change the World FasterBecome an Exponential Organization, Change the World Faster
Become an Exponential Organization, Change the World Faster
 
Cybersecurity and liability your david willson
Cybersecurity and liability your david willsonCybersecurity and liability your david willson
Cybersecurity and liability your david willson
 
The big-data revolution in healthcare
The big-data revolution in healthcareThe big-data revolution in healthcare
The big-data revolution in healthcare
 
Timelines and Prediction of Conscious Machines by Emerj AI Research
Timelines and Prediction of Conscious Machines by Emerj AI Research Timelines and Prediction of Conscious Machines by Emerj AI Research
Timelines and Prediction of Conscious Machines by Emerj AI Research
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
 
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
 
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
 
Tech Tips 2 Defeat Distraction NAG 2020
Tech Tips 2 Defeat Distraction NAG 2020Tech Tips 2 Defeat Distraction NAG 2020
Tech Tips 2 Defeat Distraction NAG 2020
 
How To Develop A Company Disaster Plan
How To Develop A Company Disaster PlanHow To Develop A Company Disaster Plan
How To Develop A Company Disaster Plan
 
Evolving it security Threats and Solutions
Evolving it security Threats and SolutionsEvolving it security Threats and Solutions
Evolving it security Threats and Solutions
 
COMPISSUES08 - Credibility of Technology
COMPISSUES08 - Credibility of TechnologyCOMPISSUES08 - Credibility of Technology
COMPISSUES08 - Credibility of Technology
 
Challenges of remote working in P3M – identifying, understanding and options ...
Challenges of remote working in P3M – identifying, understanding and options ...Challenges of remote working in P3M – identifying, understanding and options ...
Challenges of remote working in P3M – identifying, understanding and options ...
 
Lean Security
Lean SecurityLean Security
Lean Security
 
Automated decision making with predictive applications – Big Data Amsterdam
Automated decision making with predictive applications – Big Data AmsterdamAutomated decision making with predictive applications – Big Data Amsterdam
Automated decision making with predictive applications – Big Data Amsterdam
 

Semelhante a Marcus Ranum on Bad Idea Zombies

The BIG ONE 2.0 - HouSecCon
The BIG ONE 2.0 - HouSecConThe BIG ONE 2.0 - HouSecCon
The BIG ONE 2.0 - HouSecConMichael Gough
 
Architecting a Post Mortem - Velocity 2018 San Jose Tutorial
Architecting a Post Mortem - Velocity 2018 San Jose TutorialArchitecting a Post Mortem - Velocity 2018 San Jose Tutorial
Architecting a Post Mortem - Velocity 2018 San Jose TutorialWill Gallego
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityStephen Cobb
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
The Future of Advanced Analytics
The Future of Advanced AnalyticsThe Future of Advanced Analytics
The Future of Advanced AnalyticsHaystax Technology
 
Leadership In Crises Mode Asme Presentation
Leadership In Crises Mode Asme PresentationLeadership In Crises Mode Asme Presentation
Leadership In Crises Mode Asme PresentationDavid Tennant
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference Rea & Associates
 
Baker - Foundation and Operational Learning.pdf
Baker - Foundation and Operational Learning.pdfBaker - Foundation and Operational Learning.pdf
Baker - Foundation and Operational Learning.pdfRobsonD1
 
How to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security DollarHow to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security DollarHostway|HOSTING
 
DeepSec 2014 - The Measured CSO
DeepSec 2014 - The Measured CSODeepSec 2014 - The Measured CSO
DeepSec 2014 - The Measured CSOAlexander Hutton
 
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...How to Communicate the Actual Readiness of your IT Security Program for PCI 3...
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...RedZone Technologies
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of SecurityKarina Elise
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk GovernanceDan Michaluk
 
Cybersecurity in 2016
Cybersecurity in 2016Cybersecurity in 2016
Cybersecurity in 2016Ben Finke
 
20161109_Mahan_Brighttalk_Webinar_Final
20161109_Mahan_Brighttalk_Webinar_Final20161109_Mahan_Brighttalk_Webinar_Final
20161109_Mahan_Brighttalk_Webinar_FinalPhillip Mahan
 
What Makes a Good Police OfficerThe most honest and direct re.docx
What Makes a Good Police OfficerThe most honest and direct re.docxWhat Makes a Good Police OfficerThe most honest and direct re.docx
What Makes a Good Police OfficerThe most honest and direct re.docxlillie234567
 
Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Dan Michaluk
 
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?dianadvo
 

Semelhante a Marcus Ranum on Bad Idea Zombies (20)

Top 12 Threats to Enterprise
Top 12 Threats to EnterpriseTop 12 Threats to Enterprise
Top 12 Threats to Enterprise
 
The BIG ONE 2.0 - HouSecCon
The BIG ONE 2.0 - HouSecConThe BIG ONE 2.0 - HouSecCon
The BIG ONE 2.0 - HouSecCon
 
Architecting a Post Mortem - Velocity 2018 San Jose Tutorial
Architecting a Post Mortem - Velocity 2018 San Jose TutorialArchitecting a Post Mortem - Velocity 2018 San Jose Tutorial
Architecting a Post Mortem - Velocity 2018 San Jose Tutorial
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
The Future of Advanced Analytics
The Future of Advanced AnalyticsThe Future of Advanced Analytics
The Future of Advanced Analytics
 
Leadership In Crises Mode Asme Presentation
Leadership In Crises Mode Asme PresentationLeadership In Crises Mode Asme Presentation
Leadership In Crises Mode Asme Presentation
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference
 
Baker - Foundation and Operational Learning.pdf
Baker - Foundation and Operational Learning.pdfBaker - Foundation and Operational Learning.pdf
Baker - Foundation and Operational Learning.pdf
 
How to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security DollarHow to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security Dollar
 
DeepSec 2014 - The Measured CSO
DeepSec 2014 - The Measured CSODeepSec 2014 - The Measured CSO
DeepSec 2014 - The Measured CSO
 
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...How to Communicate the Actual Readiness of your IT Security Program for PCI 3...
How to Communicate the Actual Readiness of your IT Security Program for PCI 3...
 
The 10 Secret Codes of Security
The 10 Secret Codes of SecurityThe 10 Secret Codes of Security
The 10 Secret Codes of Security
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk Governance
 
Cybersecurity in 2016
Cybersecurity in 2016Cybersecurity in 2016
Cybersecurity in 2016
 
20161109_Mahan_Brighttalk_Webinar_Final
20161109_Mahan_Brighttalk_Webinar_Final20161109_Mahan_Brighttalk_Webinar_Final
20161109_Mahan_Brighttalk_Webinar_Final
 
What Makes a Good Police OfficerThe most honest and direct re.docx
What Makes a Good Police OfficerThe most honest and direct re.docxWhat Makes a Good Police OfficerThe most honest and direct re.docx
What Makes a Good Police OfficerThe most honest and direct re.docx
 
Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?Cyber Incident Response - When it happens, will you be ready?
Cyber Incident Response - When it happens, will you be ready?
 
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
 

Mais de David Strom

Spark Twitter fails Mar2023
Spark Twitter fails Mar2023Spark Twitter fails Mar2023
Spark Twitter fails Mar2023David Strom
 
Getting Your First Cybersecurity Job
Getting Your First Cybersecurity JobGetting Your First Cybersecurity Job
Getting Your First Cybersecurity JobDavid Strom
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologiesDavid Strom
 
What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?David Strom
 
Fears and fulfillment with IT security
Fears and fulfillment with IT securityFears and fulfillment with IT security
Fears and fulfillment with IT securityDavid Strom
 
Protecting your digital and online privacy
Protecting your digital and online privacyProtecting your digital and online privacy
Protecting your digital and online privacyDavid Strom
 
AI and cyber security: new directions, old fears
AI and cyber security: new directions, old fearsAI and cyber security: new directions, old fears
AI and cyber security: new directions, old fearsDavid Strom
 
The legalities of hacking back
The legalities of hacking backThe legalities of hacking back
The legalities of hacking backDavid Strom
 
How to market your book in today's social media world
How to market your book in today's social media worldHow to market your book in today's social media world
How to market your book in today's social media worldDavid Strom
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of ThingsDavid Strom
 
How to make your mobile phone safe from hackers
How to make your mobile phone safe from hackersHow to make your mobile phone safe from hackers
How to make your mobile phone safe from hackersDavid Strom
 
Implications and response to large security breaches
Implications and response to large security breaches Implications and response to large security breaches
Implications and response to large security breaches David Strom
 
Using social networks to find your next job (2017)
Using social networks to find your next job (2017)Using social networks to find your next job (2017)
Using social networks to find your next job (2017)David Strom
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debateDavid Strom
 
Using OpenStack to Control VM Chaos
Using OpenStack to Control VM ChaosUsing OpenStack to Control VM Chaos
Using OpenStack to Control VM ChaosDavid Strom
 
Notable Twitter fails
Notable Twitter failsNotable Twitter fails
Notable Twitter failsDavid Strom
 
How to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computingHow to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computingDavid Strom
 
Listen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better SupportListen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better SupportDavid Strom
 
Network security practice: then and now
Network security practice: then and nowNetwork security practice: then and now
Network security practice: then and nowDavid Strom
 
Biggest startup mistakes
Biggest startup mistakesBiggest startup mistakes
Biggest startup mistakesDavid Strom
 

Mais de David Strom (20)

Spark Twitter fails Mar2023
Spark Twitter fails Mar2023Spark Twitter fails Mar2023
Spark Twitter fails Mar2023
 
Getting Your First Cybersecurity Job
Getting Your First Cybersecurity JobGetting Your First Cybersecurity Job
Getting Your First Cybersecurity Job
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologies
 
What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?
 
Fears and fulfillment with IT security
Fears and fulfillment with IT securityFears and fulfillment with IT security
Fears and fulfillment with IT security
 
Protecting your digital and online privacy
Protecting your digital and online privacyProtecting your digital and online privacy
Protecting your digital and online privacy
 
AI and cyber security: new directions, old fears
AI and cyber security: new directions, old fearsAI and cyber security: new directions, old fears
AI and cyber security: new directions, old fears
 
The legalities of hacking back
The legalities of hacking backThe legalities of hacking back
The legalities of hacking back
 
How to market your book in today's social media world
How to market your book in today's social media worldHow to market your book in today's social media world
How to market your book in today's social media world
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of Things
 
How to make your mobile phone safe from hackers
How to make your mobile phone safe from hackersHow to make your mobile phone safe from hackers
How to make your mobile phone safe from hackers
 
Implications and response to large security breaches
Implications and response to large security breaches Implications and response to large security breaches
Implications and response to large security breaches
 
Using social networks to find your next job (2017)
Using social networks to find your next job (2017)Using social networks to find your next job (2017)
Using social networks to find your next job (2017)
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debate
 
Using OpenStack to Control VM Chaos
Using OpenStack to Control VM ChaosUsing OpenStack to Control VM Chaos
Using OpenStack to Control VM Chaos
 
Notable Twitter fails
Notable Twitter failsNotable Twitter fails
Notable Twitter fails
 
How to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computingHow to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computing
 
Listen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better SupportListen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better Support
 
Network security practice: then and now
Network security practice: then and nowNetwork security practice: then and now
Network security practice: then and now
 
Biggest startup mistakes
Biggest startup mistakesBiggest startup mistakes
Biggest startup mistakes
 

Último

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Último (20)

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Marcus Ranum on Bad Idea Zombies

  • 1. Anatomy of The Security Disaster Marcus J. Ranum (mjr@tenablesecurity.com) Tenable Network Security, Inc.
  • 2.
  • 3. The Security Disaster • What is the problem? – Dangerous stuff is being done by people who think it is being done safely – Their incomprehension of the danger encourages increased exposure (the “it hasn’t happened yet” effect) • We are at the point where cyberterror starts to become a legitimate fear
  • 4. The Future • “It's a problem for security people because their career depends on their ability to enable the business securely. We have had six years of "regulation-based job security" for the whiners. That era is coming to an end.” Alan Paller, SANS
  • 5. The Security Disaster • In other words, the problem is going to get worse • What is scary is the existing scope of the problem is already very broad; the current state of affairs has been gestating for 10+ years
  • 6. What Will We Do? (that will not work) • Spend our way out of the hole – Cost of doing it right exceeds cost of re- doing it – Currently an installed base of doing it wrong – Inertia (financial and technological) ...in other words: we’re already so deep into this that physics has taken over
  • 7. Do We Learn? • Do pro-active measures actually carry weight? • Disaster-and-patch is the current strategy
  • 8. Time Line of a Typical Disaster 1) Inception of bad idea 2) Identification as bad idea 3) Negotiation 4) Search for Plan B 5) Failure to re-adjust expectations 6) Initial failure conditions are noticed 7) Denial or kludging 8) Failure 2.2) Memos generated! 6.2) Memos generated! Opportunity for cover-up or conspiracy
  • 9. Time Line of a Typical Disaster (cont) 9) Hunt for the guilty 10) Finger Pointing 11) Memo Archaeology 12) Slaughter of the Innocents 13) Failure to learn REPEAT Memos from 2.2 and 6.2 resurface!
  • 10. Failure of Risk Management • The premise of the “risk management” approach to security is that good thinking happens at stage #3 – In fact, what happens is that the good thinking is largely undone by the time you get to stage #7 • Every organization that is performing “risk management” is currently in denial
  • 11. Failure of Communication • The premise of the “improved communication” approach to security is that good thinking happens at stage #2, #4, #6, and #7 – That’s simply expecting too much good thinking to happen
  • 12. Failure of Education • The premise of the “educate the manager, educate the business” approach to security is the same as the “communication” idea except for the assumption that the right thing is just going to happen organically – That’s utter fantasy
  • 13. Failure of Legislation • The legislative approach (what is being most widely attempted right now) relies on publicly identifying organizations that failed at stage #8 and hoping that organizations that are already at stage #7 are going to magically wind back the clock to stage #3 – Will always be seen as prohibitively expensive
  • 14. Economic Models • A popular fad nowadays is “economic models” of security – Essentially the attempt to correctly place security in the value chain – This almost always results in security being given a high presumed value and low cost (a nice way of saying, “highly fudged”) • Even so, security is a “market failure”
  • 15. Epic Failures • When failures occur, someone has to take the blame – Standard failure mode is management states “I take full responsibility” • …but someone else takes the fall • In US DOD gov’t space that is virtually always a contractor (because it’s only contractors that actually do anything) But let’s look closer at what’s happening...
  • 16. The Middle Layer • According to Alan Paller: – Security has to enable business – In cases where failures occur it is discovered that technologists lied about how safe systems were • Reveals profound disconnect between what management thinks, and reality – This should not be news to most of you
  • 17. The Middle Layer (cont) • My observation in return was that: – The technologists told the truth; it’s simply that management didn’t hear the truth – Management remembers what it asked for not what it heard in response – Result is a massive disconnect between management expectations and ground reality
  • 18. The “Plan A” “Plan B” Effect • Management asks for “(something dumb) with perfect security” – Technology answers “it can’t be done” • Management then asks for “Plan B” – Continues shopping the idea until someone cooks up something that will mostly work
  • 19. Expectation Level • The problem is that the expectation level does not get reset in this process – Management simply continues to forge ahead with the idea that “perfect security” remains part of the equation • Meanwhile there are memos from technologists that say (variously) “We can do it, but there are substantial risks…” (2.2 and 6.2)
  • 20. The Space Shuttle Disasters • The quintessence of this kind of failure is described by Richard Feynman in his minority report about the Challenger disaster – Feynman was dead when the Columbia broke up, but the failure paradigm in the Columbia disaster was exactly the same • We consistently see disconnect between expectation and reality
  • 21. Breaking the Cycle • What can we do? – Ensure maximum clarity at all parts of stage #2, #3, #4, #5 – Pre-allocate blame at stage #7 and #8 • Technical / responsible individuals must make sure to document that they issued warnings in stage #8 – And, if you actually want things to get better, the warnings must get high enough
  • 22. Breaking the Cycle (summary) • Key phrases: – “We must re-assess the decision to…” – “The risk estimate of regarding (blank) is optimistic…” – “Continuing with (blank) represents additional investment in a risky decision…”
  • 23. A Grim Future • The behaviors that I am describing are fundamental behaviors that are ingrained in human optimism – If I am correct, virtually all of the work that is currently being done to bring systems into compliance with regulations will represent wasted effort – Web2.0 rapid adoption includes the next tidal wave of bad ideas, and is already upon us
  • 24. Understanding Failure as Complexity Increases • I have already encountered two forensic/response cases in which the client had no interest in actually figuring out what went wrong they simply wanted to “fix it” • Models of distributing and sharing risk make no sense when risk is “pick an number between 0% and 100%”
  • 25. Summary • After 20 years working in information security I am convinced that the situation is not only beyond repair; it is getting worse • Have a nice day!